And yes dev models over time. It’s the way that some people promote the way to inject scripts, modifying the DOM etc. Even with Modern Pages I’ve seen (imo) stupid scripts that modify the page outside the canvas.
Inventory doesn’t help if the CEO already visited the page with the rogue script… security is (unfortunately?) a huge thing for my clients. SPFx is not either perfect for this (yet, there are things suggested that would make it better), but it’s way better than before.